The sender reputation of the sending Simple Mail Transfer Protocol (SMTP) email server is compromised in some way.

A customer-controlled FOPE policy rule identifies and disposes of the legitimate email message as spam.

The spam score that is assigned by FOPE to a legitimate email message incorrectly meets the threshold that is required to identify the email message as spam.

To determine how a message was processed and the cause of the issue, examine the header of the false-positive for the following information:

Collapse this tableExpand this table

Header Value

Description

Diagnosis

Resolution

X-CustomSpam: …

This entry indicates that this message was filtered by using Additional Spam Filter (ASF) options.

The presence of this entry indicates that the false-negative was processed by using ASF options.

If this entry is present, use Method 2 in the "Resolution" section.

X-BigFish: vps#...

This entry indicates that FOPE processed the message as follows:

v: was virus-scannedp: was policy-scanneds: was spam-scanned#: represents spam score

Not having the "s" value indicates that spam filtering was bypassed.

Not having the "p" value indicates that policy filtering was bypassed.

If the "s" value is absent, but spam filtering is not disabled, use Method 3 in the "Resolution" section.

If "p" value is present, but it is not expected because policy filtering is disabled, use Method 3 in the "Resolution" section.

X-SpamScore: # …

This entry indicates the FOPE spam score.

For comparative analysis only. No specific issue can be identified by this value.

-

Before you try to correct other issues, it is important to identify whether there are sender reputation issues on the SMTP server that is sending the mail item. If this is the case, note the following:

The spam score that FOPE assigns to all mail items from that server are automatically incremented based on the sender reputation problems that are detected.

Any correction of the sender reputation issues must be conducted by the administrator of the sending SMTP server.

The sender reputation score may be viewed in the message header.

The sender reputation score is most directly related to the following aspects of SMTP server setup:

HELO/EHLO analysis

Forward and reverse Domain Name System (DNS) lookup

Analysis of Spam Confidence Level (SCL) ratings on messages from a particular sender

Sender open proxy test

For more information about sender reputation, visit the following Microsoft TechNet website:

To resolve this issue, use one of the following methods, as appropriate for your situation.

Method 1: De-activate Additional Spam Filtering options

Additional Spam Filtering (ASF) options enable you to customize aspects of email messages that should adversely affect spam scoring. When a mail item is identified by using one or more active ASF options, the spam score increases the probability that FOPE will identify and quarantine that item as spam. For more information about how to use ASF, visit the following Microsoft TechNet website:

Note Mail items that are identified as spam by ASF options cannot be overridden by spam signature changes to the FOPE service. These false-positives must be corrected by de-activation of the ASF option that is bumping the email message spam score over the threshold.

Method 2: Submit false-positive samples to FOPE Spam Team

The spam-scanning heuristics of the FOPE data center have to be updated to exclude the signature of the email message that is received. In this case, identify the item as spam to the FOPE team by using either of the following methods:

Using the Junk E-mail Reporting Add-In for Microsoft Office Outlook
(http://technet.microsoft.com/en-us/library/ff898336.aspx)
Note If the Not Junk button is absent when a message is viewed in spam quarantine, the message was filtered because of restrictions that the email administrator has applied, such as an ASF option or a custom policy rule.

Submit by email. To do this, follow these steps:

Create a new email message and then attach the false-positive message to it. Note Make sure that the spam mail item is not forwarded or replied to in the submission because these actions change the mail header information that is used to evaluate the submission.

The FOPE Spam Team will review messages that are submitted to false_positive@messaging.microsoft.com
(mailto:false_positive@messaging.microsoft.com)
. The filtering process is not immediate and sometimes requires improving several rules or creating a new rule, and this may take an extended time. Although FOPE helps protect users from any unwanted mail, FOPE must also weigh these changes and improvements to make sure that legitimate mail is not filtered out. Continue to send examples of offending messages so that the Spam Team can fine-tune the filtering rules to be as accurate as possible.

A submission report is available in the FOPE Administration Center to verify how many submissions the organization is creating. For more information about the kinds of reports that are available in FOPE, visit the following Microsoft TechNet website:

Method 3: Adjust custom policy rules

FOPE administrators have the additional option of managing their own logic for spam filtering. This includes enabling, quarantining, or rejecting mail items based on customized, customer-controlled criteria. Custom policy rules can be used to either tighten or loosen the spam scanning security profile based on customer needs.

Note You may have to use this method either to establish spam filtering bypass rules or to loosen up previously created policy rules that are falsely identifying legitimate email message as spam.

For more information about how to create customer policy rules, visit the following Microsoft TechNet websites:

The third-party products that this article discusses are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, about the performance or reliability of these products.